]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph-client.git/commit
projects / ceph-client.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7c46bd8) | patch
netfilter: bpf: defer hook memory release until rcu readers are done
authorFlorian Westphal <fw@strlen.de>
Tue, 17 Mar 2026 11:23:08 +0000 (12:23 +0100)
committerFlorian Westphal <fw@strlen.de>
Thu, 19 Mar 2026 09:26:31 +0000 (10:26 +0100)
commit24f90fa3994b992d1a09003a3db2599330a5232a
treee5e94aa247da295d063a5618aaa33cd945a7d5d3tree | snapshot
parent7c46bd845d89ad4772573cfe0f2a56b93db75cc7commit | diff
netfilter: bpf: defer hook memory release until rcu readers are done

Yiming Qian reports UaF when concurrent process is dumping hooks via
nfnetlink_hooks:

BUG: KASAN: slab-use-after-free in nfnl_hook_dump_one.isra.0+0xe71/0x10f0
Read of size 8 at addr ffff888003edbf88 by task poc/79
Call Trace:
 <TASK>
 nfnl_hook_dump_one.isra.0+0xe71/0x10f0
 netlink_dump+0x554/0x12b0
 nfnl_hook_get+0x176/0x230
 [..]

Defer release until after concurrent readers have completed.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 84601d6ee68a ("bpf: add bpf_link support for BPF_NETFILTER programs")
Signed-off-by: Florian Westphal <fw@strlen.de>
net/netfilter/nf_bpf_link.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.